{ "id": "0650198b-8d9e-4a9a-a5c8-6ab22e70ce20", "created_at": "2026-04-06T00:11:37.863614Z", "updated_at": "2026-04-10T13:11:59.343865Z", "deleted_at": null, "sha1_hash": "04847e1239f1bd6c2a9c80d3d8391ce4da6f1f04", "title": "Delphi Used To Score Against Palestine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1594686, "plain_text": "Delphi Used To Score Against Palestine\r\nBy Warren Mercer\r\nPublished: 2017-06-19 ยท Archived: 2026-04-05 14:20:45 UTC\r\nThis blog was authored by Paul Rascagneres and Warren Mercer with contributions from Emmanuel Tacheau,\r\nVanja Svajcer and Martin Lee.\r\nExecutive Summary\r\nTalos continuously monitors malicious emails campaigns. We identified one\r\nspecific spear phishing campaign launched against targets within Palestine, and\r\nspecifically against Palestinian law enforcement agencies. This campaign started in\r\nApril 2017, using a spear phishing campaign to deliver the MICROPSIA payload\r\nin order to remotely control infected systems. Although this technique is not new, it\r\nremains an effective technique for attackers.\r\nThe malware itself was developed in Delphi; in this article, we describe the features and the network\r\ncommunication to the command and control server used by the attackers. The threat actor has chosen to reference\r\nTV show characters and include German language words within the attack. Most significantly, the attacker has\r\nappeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video\r\nas part of the attack.\r\nThe subject of the email translates to \"Brothers security officers and directors\", with the text content \"Kindly to\r\nview and circulate under the responsibility:\r\nThe Council of Ministers' Decision on the Use of the Internet in Government Institutions\"\r\nAttached to the email is a .r10 file, which suggests that the file is a tenth part of a split RAR archive. However,\r\nthis isn't the case. The attachment is a simple RAR file. Despite the unusual file name extension, this file can be\r\nopened by many RAR archive handlers without modification.\r\nThe RAR archive contains a single executable file named:\r\nInternetPolicy_65573247239876023_3247648974234_32487234235667_pdf.exe\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 1 of 14\n\nThe .r10 file extension may have been chosen in order to confuse automated file parsing systems that check for\r\nmalicious contents of archives with known file name extensions. Similarly, the long name of the file within the\r\narchive, along with the ending '_pdf.exe' may have been used to convince victims into thinking that the file is a\r\nreal PDF file. It is worth keeping in mind that by default Windows will not show the .exe extension to the user.\r\nThe icon of executable file itself is that commonly used for PDF files, enhancing the idea that the contents of the\r\narchive is a PDF.\r\nWhen the executable is launched it extracts the decoy document embedded as the PE resource named Resource_1\r\nand opens it.\r\nDecoy Document\r\nThe decoy document displayed, InternetPolicy.pdf, is a scanned document by the Ministry Of\r\nInterior of the State Of Palestine, signed by Dr Alaa Mousa, Minister of Communications \u0026\r\nTechnologies:\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 2 of 14\n\nThe decoy document contains 7 pages describing new internet usage policies. The first page (shown above)\r\ninforms governmental departments of the policy, and instructs them to follow it. A handwritten note stated to be\r\nfrom the Director of the IT Department adds his 'seal of approval' to the document.\r\nIn the background, the malware MICROPSIA is executed on the infected system. This malware is a Remote\r\nAdministration Tool (RAT), it will be described later.\r\nAssociated Campaigns\r\nWe have also identified drive-by download campaigns which are distributing\r\nvariants of the same malware, but with different decoy documents.\r\nURLs used in this campaign include:\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 3 of 14\n\nhttp://sheldon-cooper[.]info/Fuqha_NewDetails_docx.r10\r\nhttp://feteh-asefa[.]com/pc/public/Fuqha_NewDetails_docx.r10\r\nhttp://feteh-asefa[.]com/pc/public/Altarnatevs.r10\r\nhttps://sheldon-cooper[.]info/attachment.r10\r\nAs with the spear phish, the archives also have the same .r10 extension. The first two archives contain the file:\r\nFuqha_NewDetails_874918321795_39778423423094_1988734200039_docx.exe which although the file name\r\nsuggests a .docx file, the icon is that of a PDF document.\r\nThe second two archives contain the file:\r\nAltarnatives_Palestine_89840923498679852_9879483278432732489_pdf.exe Again being an executable file with\r\na PDF style icon.\r\nDecoy Documents\r\nAltarnatives_Palestine Document\r\nThe .pdf decoy document is study from the Palestinian Center for Policy Research and Strategic Studies\r\n(MASARAT):\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 4 of 14\n\nThis 22 pages long research document addresses the current level of threat \u0026 security issues within the West Bank\r\nfor 2016 \u0026 2017. It contains chapters relating to human rights, data from Arab World for Research and\r\nDevelopment center, violence center report etc.\r\nFuqha_NewDetails Document\r\nThis 8 page long document appears to be an intelligence report based on interviews, documents and public\r\ninformation. The document mentions an assassination report of one of the highest ranked officers of the Al\r\nQassam group's (Millitary Wing of HAMAS, aka Armed Militia). The document contains a single image, an\r\nillustration of the leadership of Hamas, hierarchical security \u0026 subgroups:\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 5 of 14\n\nPlan_Palestine Document\r\nPlan_Palestine_898409266595123498679852_9879483278432732489_pdf.exe\r\nThe decoy document of this sample is a word document. It presents the strategic objectives, policies and\r\ninterventions concerning security units (aka Police), including how to face the challenges, how to train police, new\r\nweapons etc.\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 6 of 14\n\nDiwan2017_Palestine Document\r\nDiwan2017_Palestine_89840923498679852_9879483278432732489_pdf.exe\r\nThis decoy document is a PDF file. The document itself appears to be scanned from the Council of Ministers of\r\nPalestine and relates to an announcement concerning employee regulation.\r\nGoal2017 Document\r\nGoal2017_487886_10152599711675287_250999354_n_354343741352mp4.exe\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 7 of 14\n\nInstead of a decoy document, this sample is a decoy video of a music clip \"Goal\" by the Lebanese singers Myriam\r\nKlink and Jad Khalife. This video is particularly controversial as the overt nature of the video led it to be banned\r\nby the Lebanese Justice ministry. The sharing or airing of it is subject to a fine of 50 000 000 Lebanese Liras\r\n(approximately 33k USD).\r\nMICROPSIA Analysis\r\nFor all of these decoy documents, the malware is identical, the only differences are\r\nthe sections containing the decoy documents themselves. The malware is a remote\r\naccess trojan (RAT) written in Delphi named MICROPSIA.\r\nFeatures\r\nFirstly, the malware copies itself in C:\\ProgramData\\MediaPlayer\\ExecuteLibrary.exe. The\r\nmalware contains several resources, one of which is the decoy document, another is a legitimate\r\nbinary developed by OptimumX named shortcut.exe. As expected the purpose of this tool is to\r\ncreate a shortcut. It is through creating a shortcut that the malware ensures its persistence:\r\nShortcut.exe /f:\"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\D_Windows_v1.lnk\" /a:c /t:\"C:\\ProgramData\\MediaPlayer\\ExecuteLibrary.exe\"\r\nThe malware is a Remote Administration Tool (RAT) which downloads and executes an executable obtained from\r\nthe Command \u0026 Control infrastructure. This executable is downloaded in string format and then modified to\r\nbecome a binary file with the Hex2Bin Delphi API.\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 8 of 14\n\nAn interesting element is the obfuscation algorithm used to hide the configuration of the RAT. The variables are\r\nstored in a custom base64:\r\nOnce decoded with base64 and with 2 XOR Keys we can obtain the configuration of the malware:\r\n[{000214A0-0000-0000-C000-000000000046}]\r\nProp3=19,2\r\n[InternetShortcut]\r\nIDList=\r\nURL=file://\r\nMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nhttp://camilleoconnell.website/api/white_walkers/\r\ndaenerys\r\nbetriebssystem\r\nanwendung\r\nmikasa\r\nackerman\r\nginny\r\nAV\r\nWe will see later, that this configuration contains the User-Agent, the CC URL and the json keys used for the\r\nnetwork communication.\r\nAdditionally the malware is interested by Anti-Virus installed on the system. It uses WMI queries to get this\r\ninformation:\r\nSELECT * FROM AntiVirusProduct\r\nSELECT * FROM AntiSpywareProduct\r\nSELECT * FROM FirewallProduct If an security product is installed this information is sent to the\r\nattacker.\r\nNetwork Communication\r\nAll the network parameters are stored in the sample and can be easily updated by the author. The\r\nCnC is a web server: http://camilleoconnell[.]website\r\nThe network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla/5.0\r\n(compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 9 of 14\n\nTo register a new infected system the malware perform a POST request to /api/white_walkers/new with data on\r\nthe compromised system consisting of:\r\nthe filename of the executed malware and the version;\r\nthe version of the infected Operating System;\r\nthe hostname and username encoded in base64. The CC will reply in json format. The json object contains\r\nan ID (incremented each time that an infected system is registered) and 3 other boolean values: load_varys,\r\nlma and ausfart. Here is an output of a registration:\r\nAs part of our investigation we believe currently more than 500 systems are already registered on the CC. This\r\nnumber may be a mix of genuinely infected systems and security researcher sandbox systems.\r\nAfter a registration, the malware periodically performs HTTP requests to the CC with the following pattern: GET\r\n/api/white_walkers/[base64_data_previously_sent]/requests\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 10 of 14\n\nThe server will reply with a json object. We assume that the server can issue orders to the infected system. Here is\r\nan example:\r\nReference to TV Show Characters\r\nIn the analysed variant, we identify several reference to TV Show characters in the network\r\ncommunication and the URLs used by this actor:\r\nsheldon-cooper[.]info: this URL is a reference to one of the main characters of \"The Big Bang Theory\"\r\nnamed Sheldon Cooper;\r\nCamilleoconnell[.]website: this URL is a reference to Camille O'Connell, the main actress of \"The Vampire\r\nDiaries\" and \"The Originals\";\r\nMikasa Ackerman is a json key returned by the CC. And this name is a character in \"Attack on Titan\";\r\n/White_Walker/ in the URL is a species in the TV Show \"Game of Thrones\";\r\nDeanerys is a variable used during Web request. This is the name of a character in \"Game of Thrones\";\r\nLord_varys is another json key returned by the CC. This is the name of a \"Game of Thrones\" character.\r\nThe malware author appears to have a real interest for TV shows.\r\nGoethe's Style\r\nWe identified the use of german language words in the network communication with the\r\nCommand and Control server.\r\n\"Betriebssystem\" which means Operating System. This variable is used to send the OS version (for\r\nexample \"Windows 7 Service Pack 1 (Version 6.1, Build 7601, 32-bit Edition)\")\r\n\"Anwendung\" which means Application. This variable is used to send the filename and the version of the\r\nmalware.\r\n\"Ausfahrt\" which means Exit. This is a json key used by the CC during network communication. The key\r\ncontains a boolean (false/true)\r\nObviously, the use of german words does not necessarily means that the author is German. The author could\r\nsimply be adding german word in order to cover their tracks.\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 11 of 14\n\nConclusion\r\nThis spear phishing campaign was directed against Palestinian authorities and\r\npossibly against other entities. At least 500 machines have been registered by the\r\nCC infrastructure, which is still operating, indicating that this is a successful\r\ncampaign.\r\nAt Talos, we have in-depth experience of many APT campaigns, in this case one of the most surprising elements is\r\nthe overt naming convention: the author deliberately uses references to several US TV show and intentionally uses\r\nGerman words for malware communication. We have no indication if these inclusions are to confuse attribution,\r\nto mock analysts, or a lapse of trade craft. This is in contrast to the highly convincing decoy documents which\r\nappear to be copies of genuine documents relating to the current situation in Palestine which suggests a high\r\ndegree of professionalism.\r\nIOCs\r\nFile hashes\r\nInternetPolicy.r10: 9b162f43bcbfaef4e7e7bdffcf82b7512fac0fe81b7f2c172e1972e5fe4c9327\r\nInternetPolicy_65573247239876023_3247648974234_32487234235667_pdf.exe:\r\n9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079\r\nAttachment.r10: c7081b00ad8db62519c7af2cb5f493f56ecc487b087ae52d01f43953d2aa6952\r\nAltarnatives_Palestine_89840923498679852_9879483278432732489_pdf.exe:\r\n0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1\r\nFuqha_NewDetails_docx.r10: 94902877b2cb523548a272d4e4fe0789192e1cb35b531297368b16a2865b33af\r\nFuqha_NewDetails_874918321795_39778423423094_1988734200039_docx.exe:\r\n77adba034d13b570c6aab79282326a1eb2efdfc14fbd7cd0651906e3fa31f9fe\r\nPlan_Palestine_898409266595123498679852_9879483278432732489_pdf.exe:\r\n6c5884cf45d943f51566ea98113fecf851d49f59b70c8039aa21a14e09e21e5c\r\nDiwan2017_Palestine_89840923498679852_9879483278432732489_pdf.exe:\r\n7c87f992674b962269d7fb2ffbad6d21f606c90d151a6fb67ac54387b6883aae\r\nGoal2017_487886_10152599711675287_250999354_n_354343741352mp4.exe:\r\n5f5af4762c073234fef6bfeaa3b9f6a04982e82a25e540116aa1f9e38223ae2b\r\nDomains\r\nfeteh-asefa[.]com\r\nsheldon-cooper[.]info\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 12 of 14\n\ncamilleoconnell[.]website\r\nURLs\r\nhttp://sheldon-cooper[.]info/Fuqha_NewDetails_docx.r10\r\nhttp://feteh-asefa[.]com/pc/public/Fuqha_NewDetails_docx.r10\r\nhttp://feteh-asefa[.]com/pc/public/Altarnatevs.r10\r\nhttps://sheldon-cooper[.]info/attachment.r10\r\nhttp://camilleoconnell[.]website/api/white_walkers/new\r\nhttp://camilleoconnell[.]website/api/white_walkers/[base64]/requests\r\nCoverage\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 13 of 14\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect\r\nmalicious activity associated with this threat AMP Threat Grid helps identify malicious binaries and build\r\nprotection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nStealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures,\r\ncorrelating this activity to alert administrators.\r\nSource: https://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nhttps://blog.talosintelligence.com/2017/06/palestine-delphi.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" ], "report_names": [ "palestine-delphi.html" ], "threat_actors": [ { "id": "9198aefa-3da6-4605-bb52-923df20a7fce", "created_at": "2023-01-06T13:46:38.766848Z", "updated_at": "2026-04-10T02:00:03.093153Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "MISPGALAXY:The Big Bang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f7d9b02d-d294-422b-adf7-4b3adfac9d9a", "created_at": "2022-10-25T16:07:23.392241Z", "updated_at": "2026-04-10T02:00:04.577887Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "ETDA:The Big Bang", "tools": [ "Micropsia" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434297, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04847e1239f1bd6c2a9c80d3d8391ce4da6f1f04.pdf", "text": "https://archive.orkl.eu/04847e1239f1bd6c2a9c80d3d8391ce4da6f1f04.txt", "img": "https://archive.orkl.eu/04847e1239f1bd6c2a9c80d3d8391ce4da6f1f04.jpg" } }